Can I have multiple AWS provider blocks without using aliases?

No. Terraform allows exactly one default (non-aliased) provider block per provider type per module. Every additional `provider "aws"` block must include a unique `alias` argument. If you declare two `provider "aws"` blocks without aliases, Terraform throws a duplicate provider configuration error at init time.

Why does my child module fail with 'provider configuration not present' even though I declared the alias in the root module?

Child modules do not automatically inherit aliased providers from the root. You must explicitly pass them via the `providers` map in the module block (e.g., `providers = { aws = aws.us_west_2 }`), AND the child module must declare the alias in its own `required_providers` block using `configuration_aliases`. Both steps are required as of Terraform 0.13+.

Does the alias name need to match the AWS region name, or can it be anything?

The alias is an arbitrary string — it's a Terraform-internal label, not an AWS API concept. `alias = "us_west_2"`, `alias = "secondary"`, or `alias = "dr_region"` are all equally valid. The only constraint is that it must be a valid Terraform identifier (alphanumeric and underscores, no hyphens) and must be unique within the module scope. Using the region name as the alias is a common convention for clarity but is not enforced.

How to Fix Terraform 'Invalid Provider Configuration for AWS Alias' Error (Multi-Region & Cross-Account)

Threat/Impact Level: HIGH | Exploitability/Downtime Risk: HIGH | Time to Fix: 10 mins

TL;DR

What broke: Terraform cannot resolve a named AWS provider alias — either the alias argument is missing from the provider block, a resource is referencing an alias that doesn't exist, or the provider meta-argument on a resource is malformed.
How to fix it: Declare the alias field explicitly in every non-default provider "aws" block, and wire each dependent resource/module to it via the provider = aws.<alias> meta-argument.
Fast path: Use our Client-Side Sandbox below to auto-refactor this — paste your broken provider and resource blocks and get corrected HCL without leaking your credentials anywhere.

The Incident (What Does the Error Mean?)

Raw error output from terraform plan or terraform init:

Error: Invalid provider configuration

  on main.tf line 12, in resource "aws_s3_bucket" "replica":
  12:   provider = aws.us_west_2

The provider aws.us_west_2 is not available. A provider configuration
block with the alias "us_west_2" must exist.

or alternatively:

Error: Invalid provider configuration for 'aws' alias

Provider "registry.terraform.io/hashicorp/aws" requires an alias
configuration that has not been declared.

Immediate consequence: terraform plan hard-stops. No diff is generated. No resources are evaluated. Every downstream module that depends on this provider reference is also blocked. In a CI/CD pipeline, this surfaces as a pipeline failure at the plan stage, blocking all PRs touching that workspace.

The Attack Vector / Blast Radius

This error is most lethal in multi-region active-active architectures and cross-account assume-role patterns — exactly the configurations where alias providers are mandatory.

Blast radius breakdown:

Multi-region replication broken: S3 cross-region replication, RDS read replicas, Route 53 health checks with regional failover — all rely on aliased providers. A misconfigured alias silently prevents the secondary region from ever being provisioned, creating a false sense of disaster recovery that only fails during an actual incident.
Cross-account deployments stalled: Patterns using assume_role inside a provider block with an alias (e.g., a shared-services account deploying into spoke accounts) will fail at plan time. Every downstream account is unprovisioned.
Module consumers broken silently: If a root module passes an aliased provider to a child module via providers = { aws = aws.secondary } and the alias is missing, the child module fails with a cryptic error that doesn't point back to the root cause.
State drift risk: If a partial apply succeeded before the alias error was introduced (e.g., via a bad refactor), re-running plan will show phantom destroy operations because Terraform can't reconcile the provider reference in state.

There is no security exploit vector here directly, but a missing DR region provider is a silent availability bomb — your runbook says you have us-west-2 failover; your Terraform says otherwise.

How to Fix It (The Solution)

Root Cause Checklist

Before touching code, confirm which failure mode you hit:

Missing alias in the provider block — you have a second provider "aws" block but forgot alias = "..." inside it.
Typo mismatch — provider = aws.us_west_2 in a resource but the provider block declares alias = "uswest2" (underscore vs no underscore).
Resource missing provider meta-argument — the aliased provider exists but the resource doesn't declare which provider to use, so it falls back to the default and fails type-checking.
Module not receiving the provider — a child module uses an aliased provider internally but the root module isn't passing it via the providers argument.

Basic Fix — Single Aliased Provider (Multi-Region)

# providers.tf

 provider "aws" {
   region = "us-east-1"
 }

+provider "aws" {
+  alias  = "us_west_2"
+  region = "us-west-2"
+}

# main.tf

 resource "aws_s3_bucket" "replica" {
   bucket = "my-replica-bucket"
-  # Missing provider reference — Terraform uses default, then fails
+  provider = aws.us_west_2
 }

Enterprise Best Practice — Cross-Account with `assume_role` + Alias

This is the production pattern for landing zone architectures (AWS Control Tower, multi-account org structures).

# providers.tf

 provider "aws" {
   region = "us-east-1"
   # Default provider — management account
 }

+provider "aws" {
+  alias  = "workload_account"
+  region = "us-east-1"
+
+  assume_role {
+    role_arn     = "arn:aws:iam::${var.workload_account_id}:role/TerraformDeployRole"
+    session_name = "terraform-deploy"
+    external_id  = var.external_id
+  }
+}

# main.tf — passing aliased provider into a child module

 module "workload_vpc" {
   source = "./modules/vpc"

-  # No providers block — module silently uses wrong account
+  providers = {
+    aws = aws.workload_account
+  }

   cidr_block = "10.1.0.0/16"
 }

Inside the child module (modules/vpc/providers.tf) — required configuration:

+terraform {
+  required_providers {
+    aws = {
+      source                = "hashicorp/aws"
+      version               = ">= 5.0"
+      configuration_aliases = [aws.workload_account]
+    }
+  }
+}

⚠️ Critical: The configuration_aliases declaration inside the child module's required_providers block is mandatory as of Terraform 0.13+. Omitting it causes Terraform to reject the passed provider with a different but equally confusing error.

💡 Tired of pasting proprietary configs into ChatGPT? Generic AI tools log your company's ARNs, DB strings, and private keys. StackEngine is a zero-backend, pure Client-Side WASM utility. Drop your failing config into the sandbox above. We redact your secrets locally in the browser and auto-generate the refactored code using your own API key.

Prevention in CI/CD

This class of error is 100% preventable pre-merge. Wire these into your pipeline:

1. `terraform validate` as a pre-commit gate

This catches alias resolution errors before any remote state is touched:

# .github/workflows/terraform.yml
- name: Terraform Validate
  run: |
    terraform init -backend=false
    terraform validate

terraform validate does not require AWS credentials and will catch missing alias declarations immediately.

2. Checkov — Policy-as-Code for provider hygiene

checkov -d . --check CKV_TF_1 --framework terraform

For custom alias enforcement, add an OPA policy:

# policy/provider_alias_check.rego
package terraform.provider

deny[msg] {
  provider := input.configuration.provider_config[_]
  provider.name == "aws"
  not provider.alias
  count([r | r := input.resource_changes[_]; r.provider_name == "registry.terraform.io/hashicorp/aws"]) > 1
  msg := "Multiple AWS provider blocks detected without explicit aliases. All non-default AWS providers must declare an alias."
}

3. `tflint` with the AWS ruleset

tflint --enable-plugin=aws
tflint --var-file=terraform.tfvars

The aws_provider_missing_default_tags and related rules surface provider misconfiguration before plan.

4. Atlantis / Spacelift plan output as PR check

Ensure your GitOps platform runs terraform plan on every PR and blocks merge on non-zero exit codes. A failed alias resolution always exits non-zero — this is your last automated safety net.

Bottom line: Alias provider errors are a pre-flight failure. They should never reach a human reviewer. If they do, your CI pipeline has a gap. Fix the pipeline, not just the HCL.